Here we go again, some new professional certifications achieved yesterday…
IBM Certified Database Administrator - DB2 UDB V8.1 for Linux, UNIX and Windows
IBM Certified Database Associate - DB2 Universal Database V8.1 Family
IBM Certified Administrator for SOA Solutions - WebSphere Process Server V6.0
IBM Certified SOA Associate
Finally I got some Information Management certifications as well. 
Nice!
IBM Certified System Administrator — WebSphere Application Server Network Deployment V6.0
IBM Certified Deployment Professional — WebSphere Process Server V6.0
Some guys from work and me are attending to this years IBM Impact conference in Las Vegas. This will be my first time in Sin City and I’m quite excited about the trip. I’ll try to keep up blogging about both the interesting technical stuff from the conference and my personal impressions about the city.
(insider) I have already ordered some drivers gloves which I have to pick up at the local Bimmer dealer - so what could go wrong? 
(/insider)
My colleague Martin got his own blog, finally! He is called Mr. Baseline internally at the company because of he is responsible for the Baseline methodology invented by Zystems. I’m sure that he will come up with a lot of interesting articles about EAI and SOA from a high level point of view.
Ian Vanstone from WebSphere MQ development at IBM Hursley laboratories blogged on the “a Hursley view on WebSphere MQ” blog about design considerations when planning for full repositories in your WebSphere MQ cluster.
Ian says:
In summary, have exactly two full repositories per cluster unless you have a very good reason and fully interconnect them with manually defined cluster sender channels.
IBM has recently changed their design for their professional certification marks and guess what, they look crap. That’s at least my personal opinion about this re-design.
That’s the new look for WebSphere:
and this for Tivoli:
Here is an example for how the logo looked like before:
Not that this is very important but I just don’t like it.
Last week I made my first Tivoli certificate at the Transaction & Messaging Technical Conference in Vienna. I hope that IBM will develop some sort of test for the Omegamon XE for Messaging as well soon, the ITM V6.1 test is way to general for my area of expertise.
My current certificates:
IBM Certified Deployment Professional - Tivoli Monitoring V6.1
IBM Certified Solution Designer - WebSphere MQ V6.0
IBM Certified System Administrator - WebSphere Message Broker V6.0
IBM Certified System Administrator - WebSphere MQ V6.0
IBM Certified System Administrator - WebSphere Business Integration Message Broker V5
IBM Certified System Administrator - WebSphere MQ V5.3
Would be nice to expand knowledge in the area of WAS (WebSphere Application Server) soon as well.
Hendrik works at the software lab services at Hursley and this is the second time I’ve attended to one of his sessions, last time was in Atlanta 2006. The session was mainly focused on how high availability works within WAS and how you would deploy high available applications in your environment. HA compared to WLM (Work Load Management), the HTTP Server Plugin does not provide smart WLM which should be taken in consideration when planning an environment for WLM.
One interesting field was the topic on how to handle the situation when a not HA enabled Deployment Manager gets corrupted or unavailable. To be able to accomplish this you should take backups of the configuration on a regular basis using the backupConfig command, to restore the configuration the command restoreConfig should be used. The path of restoring an unavailable Deployment Manager on another host could be looking something like:
1.Backup your DMGR on a regular basis using backupConfig
2.Re-install the WAS product to the backup server to the exactly same location as the corrupt one
3.Restore your DMGR configuration using the restoreConfig command
4.Change DNS entries to point to the new server
Hendrik presented a slide showing a WAS ND Cluster environment “Gold Design” (an infrastructure design setup assuming that money is not a problem) Very interesting and complex.
Another important design consideration when running clusters in two data centers either active/active or active/passive is to keep track on network latency. It is NOT recommended to run cells that span over two data centers due to network latency, you should run 2 cells, one in each data center instead.
One more session with Simon, this time about the capabilities to use IBM’s DataPower as an XML firewall in your corporate SOA network. This little colored pizza boxes come with real out of the box security capabilities. They provide a much higher level of security compared to other software based XML parsers as they are a sealed network resident device with an optimized hardware, firmware and embedded operating system. The firmware is a single signed/encrypted image and resides inside a tamper proof box, opening the box with a screwdriver would automatically disable the device. The configuration of the DataPower device is default off locked down which provides better security out of the box, it comes without drives or usb ports, only a serial port for the console.
Why should you buy a DataPower appliance anyway?
IBM says:
SOA appliances centralize XML functions as they can do more than just routing, they validate and transform at wire speed.
Traditional systems do not offer much protection, XML validation is typically off for performance reasons. By the time they try to parse the message it’s often too late.
Simon spoke about the 4 main broad threat classification as there are:
Each of the threats were explained in detail where an XML entity expansion attack called “Billion Laughs Attack” was explained.
Read more about various XML threats as Billion Laughs and their prevention on DevCentral
As summary I would call the DataPower appliances some real cool hardware and I’m sure that most of the companies out there running their SOA approach should think about using them in their environments.
Simon Kapadia held the WAS (WebSphere Application Server) Infrastructure Security Hardening session at this years IBM Transaction & Messaging Technical Conference. Simon explained the following attack levels:
-Network
-Machine
-External Application
-Internal Application Isolation
WAS V6.1 has improved security hardening by the the meaning “Secure by default” which means that Administrative Security is on by default and most subsystems as well.
The following list are some of the more important things to think about concerning security in your WAS environment.
Network Design Considerations
Use HTTPS for the browser
Configure Secure File Transfer
Keep up to date with patches and and fixes
Enable Application Security
Restrict Access to WebSphere MQ
SIBus
Harden the Web Server and Host
-Limit the modules loaded
-Review the Web Server configuration
-Consider limiting the SSL strength allowed
-Ensure that the WAS plugin is configured to only forward traffic for the right application
-Remove the JRE’s installed when installing the Web Server and the Web Server Plugin
-WAS V6.0 and later can manage Web Servers as part of the Cell, this is NOT recommended in a production environment
Harden the Proxy Host
Configure and use TAI’s carefully
Consider Authenticating Web Server to WAS link
Limiting Web Container Access to trusted servers
Don’t run samples in production
Choose an appropriate process identity
Protect your configuration files & private keys
Encrypt the LDAP link
This were some of the most important measures to take into consideration when revising the WAS infrastructure security.
Simon then explained the medium and less important security hints to us, unfortunately the time was up very soon. This topic definitely needs more time to be discussed.
Tim Dunn who recently was a speaker at our this years “Integration Days” at Zystems held this very interesting session about performance in the WMB. Mainly the whole platform can be seen as 3 key building blocks which are Design, Development and Configuration & Tuning. Different pieces of components need to be reviewed as they all are part of the integration platform:
I would assume Transport and Queue Manager in the same puzzle tile but that’s just my 5 cent. All of the parts listed above should be taken into consideration when designing your integration platform for performance.
The main processing requirements are:
Data
Transport
Processing Pattern
QoS
Tim went through all of the typical usage patterns used in WMB briefly. He explained what happens “under the skin” of a quite simple looking message flow, how the parsing, navigation, and the Message/Business processing occurs. Tree copying is very expensive as you have to handle a big structure in the broker.
Some of the improvements to think about:
Parsing
The cost of parsing is significantly higher when parsing tds instead of xml.
A very good performance improvement is to do partial parsing the following table shows this in numbers:
Ration CPU cost 1 KB Message 16 KB Message 256 KB Message
Filter First 1 1 1
Filter Last 1,4 3,4 5,6
High processing cost applies for 2-face commit in WMB as well so try to avoid it when not needed.
How can you increase the message throughput in your platform?
Mainly there are 4 different ways to accomplish that:
Recommendations for execution groups
How many instances of a message flow to run?
The 3 rules!
Tim then had a small drive through of the IS02 supportpac which we already do use in some environments. We do not yet use the “Accounting and Statistics” - plugin but soon we will as this gives you some real sexy bars and diagrams about the accounting statistics in the Message Broker.
Improvements in V6.1
Tim promised more details on the improvements as the product goes GA.
Summary
After moving to Linux at home I finally decided to give Linux a try even on my Thinkpad. It’s a T43 so there are no issues with drivers and other stuff, everything just works as expected out of the box. My former colleague and friend Niklas had some more trouble with his T61p when he tried to move to “the right side” this autumn. Well, maybe there will be some new driver updates and stuff for the T61p soon.
As i decided to go for Ubuntu at home it’s just logical to go Ubuntu at work as well. The range of applications from the standard installation satisfy many needs but I needed to install some additional software to gain full work functionality:
As you can see, not so many programs anyway, maybe I’ve forgotten some but I’ll update them later. The most disappointing thing is that I have to run a virtual Windows XP box to run Outlook and Visio. It would have been OK for Visio as I don’t have to use it that often but for Outlook it’s worse. Outlook is definitely one of my main tools in the day to day work for mailing, contacts, meetings and the sync stuff with the phone. So there’s no way around with IMAP or OWA as IMAP is no solution for the meeting/contacts thing and OWA is not only ugly it’s disgusting when you are forced to connect to it in simple mode in a Firefox session. Maybe I should give IE in Wine a try? Otherwise I would be pretty happy with an Evolution that works with Exchange 2007 but it seems it’s just a question of time until this will be resolved and I can skip the VMware thing.
Yepp, it’s time again for the IBM Transaction and Messaging Technical Conference 2007 this year in Vienna, Austria. Last year we were in Atlanta this year it’s Vienna. Hopefully we will meet up with all the friends from IBM in Hursley and with the guys from our partner company X-INTEGRATE.
We’re going to have our own booth their as well so feel free to drop by for a chat if you’re there.